[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

automatically strip no-dsa tags by gen-DLA

In an attempt to complete this TODO item from the wiki:

automatically strip no-dsa tags by gen-DLA

This is my very early attempt to modify the CVE parser so that it can
write the results back to the CVE file again. Meaning we can made
deliberate modifications to the data before doing so.


Unfortunately in making the required changes, it is no longer compatible
with the previous API. As we need to keep track of all the data in such
away that any modifications are reversible. Which is why I copied the
files completely rather then trying to edit in place. The original
parser makes certain changes that are not reversible and can produce
slightly different results (e.g. different ordering of values, different
white-space, etc).

Currently it produces a file with the following differences (see diff
below), the first two changes are due to twp tab characters being
replaced by spaces (not sure it matters enough to try and fix this...)
and the last was due to deliberate filtering (line 273).

The filtering is currently hard coded, this should be called somehow by

Any comments or suggestions?

=== cut ===
--- data/CVE/list	2019-11-12 16:54:16.835792742 +1100
+++ a	2019-11-15 16:51:09.043817845 +1100
@@ -354371,7 +354371,7 @@
 	NOT-FOR-US: Trend Micro Anti-Rootkit Common Module
 CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR an ...)
 	- rar 1:3.7b1-1 (high; bug #410582)
-	[sarge]	- rar <no-dsa> (Non-free)
+	[sarge] - rar <no-dsa> (Non-free)
 	[etch] - rar <no-dsa> (Non-free)
 	- unrar-nonfree 1:3.7.3-1 (high; bug #410580)
 	[sarge] - unrar-nonfree 1:3.5.2-0.2
@@ -359261,7 +359261,7 @@
 	NOT-FOR-US: BytesFall Explorer (bfExplorer)
 CVE-2006-5718 (Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2. ...)
 	- phpmyadmin 4: (low; bug #396638)
-	[sarge]	- phpmyadmin <not-affected> (Vulnerable code not present)
+	[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
 CVE-2006-5717 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Google Dat ...)
 	NOT-FOR-US: Zend Google Data Client Library (ZendGData)
 CVE-2006-5716 (Directory traversal vulnerability in aff_news.php in FreeNews 2.1 allo ...)
@@ -376628,7 +376628,6 @@
 	NOT-FOR-US: Sun Java System Directory Server
 CVE-2005-3268 (yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and  ...)
 	- yiff 2.14.2-8 (bug #334616; low)
-	[sarge] - yiff <no-dsa> (Only a minor privacy leak)
 CVE-2005-3267 (Integer overflow in Skype client before 1.4.x.84 on Windows, before 1. ...)
 	NOT-FOR-US: Skype
=== cut ===

Brian May <bam@debian.org>

Reply to: